Skynet Skynet - Router Firewall & Security Enhancements

[Wish]

# wget -O /jffs/scripts/firewall https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
/jffs/scripts/firewall: No such file or directory

 

[Adamm]

# wget -O /jffs/scripts/firewall https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
/jffs/scripts/firewall: No such file or directory

admin@RT-AC68U-EE20:/jffs/scripts# wget -O /jffs/scripts/firewall https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
--2017-05-29 19:25:47--  https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
Resolving raw.githubusercontent.com... 151.101.96.133
Connecting to raw.githubusercontent.com|151.101.96.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33178 (32K) [text/plain]
Saving to: '/jffs/scripts/firewall'

/jffs/scripts/firewall                                              100%[===================================================================================================================================================================>]  32.40K  --.-KB/s   in 0.02s 

2017-05-29 19:25:48 (1.56 MB/s) - '/jffs/scripts/firewall' saved [33178/33178]

admin@RT-AC68U-EE20:/jffs/scripts#

Not sure exactly whats going on considering the command should create the file, can you show me the output of the following?

ls /jffs/scripts

Thanks

 

[Wish]

All Good now.
I set the wipe jffs on reboot flag in the interface and that seems to of fixed it.
I can now install your script again

 

[HardCat]

admin@RT-AC68U-EE20:/jffs/scripts# wget -O /jffs/scripts/firewall https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
--2017-05-29 19:25:47--  https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
Resolving raw.githubusercontent.com... 151.101.96.133
Connecting to raw.githubusercontent.com|151.101.96.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33178 (32K) [text/plain]
Saving to: '/jffs/scripts/firewall'

/jffs/scripts/firewall                                              100%[===================================================================================================================================================================>]  32.40K  --.-KB/s   in 0.02s

2017-05-29 19:25:48 (1.56 MB/s) - '/jffs/scripts/firewall' saved [33178/33178]

admin@RT-AC68U-EE20:/jffs/scripts#

Not sure exactly whats going on considering the command should create the file, can you show me the output of the following?

ls /jffs/scripts

Thanks

@Adamm a few minutes ago I initiated an update to v4.5.1 via ./firewall update

The result was as expected,

Skynet: [New Version Detected - Updating To ]... ... ...

Done.

However, when I checked /jffs/scripts/firewall the file was zero bytes.

I then issued the wget command manually and it failed, but when I ran the wget again with --no-check-certificate I got the file.

Hopefully this may help.

 

[Adamm]

I then issued the wget command manually and it failed, but when I ran the wget again with --no-check-certificate I got the file.

Strange, I removed that flag because I assume github being a reputable company will always have valid certs (and in all my testing I never had download fail without it). Can you post me the output of the command failing by any chance? Would be a huge help in tracking down what is going on. Sorry about the inconvenience to anyone involved!

 

[HardCat]

Strange, I removed that flag because I assume github being a reputable company will always have valid certs (and in all my testing I never had download fail without it). Can you post me the output of the command failing by any chance? Would be a huge help in tracking down what is going on. Sorry about the inconvenience to anyone involved!

The failed wget...

admin@RT-AC3100:/jffs/scripts# wget -O /jffs/scripts/firewall https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
Will not apply HSTS. The HSTS database must be a regular and non-world-writable file.
ERROR: could not open HSTS store at '/root/.wget-hsts'. HSTS will be disabled.
--2017-05-29 09:36:33--  https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
Resolving raw.githubusercontent.com... 151.101.20.133
Connecting to raw.githubusercontent.com|151.101.20.133|:443... connected.
ERROR: cannot verify raw.githubusercontent.com's certificate, issued by 'CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
  Unable to locally verify the issuer's authority.
To connect to raw.githubusercontent.com insecurely, use `--no-check-certificate'.

 

[Adamm]

Will not apply HSTS. The HSTS database must be a regular and non-world-writable file. ERROR: could not open HSTS store at '/root/.wget-hsts'. HSTS will be disabled.

Now this makes things a lot clearer, sorry to be a pain but can you also post the output of;

wget -V

I think we found the issue

 

[HardCat]

Now this makes things a lot clearer, sorry to be a pain but can you also post the output of;

wget -V

I think we found the issue

The version my system is using is from entware, not busybox. Perhaps that is the issue. But I have not changed anything in months and was getting the Skynet updates daily including last night. Here is the output...

admin@RT-AC3100:/jffs/scripts# wget -V
GNU Wget 1.18 built on linux-gnu.

-cares +digest -gpgme +https +ipv6 -iri +large-file -metalink -nls
+ntlm +opie -psl +ssl/openssl

Wgetrc:
    /opt/etc/wgetrc (system)
Compile:
    arm-openwrt-linux-gnueabi-gcc -DHAVE_CONFIG_H
    -DSYSTEM_WGETRC="/opt/etc/wgetrc" -DLOCALEDIR="/opt/share/locale"
    -I. -I../lib -I../lib
    -I/media/ware4/Entware-ng.2017.02/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/include
    -I/media/ware4/Entware-ng.2017.02/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/include
    -I/media/ware4/Entware-ng.2017.02/staging_dir/toolchain-arm_cortex-a9_gcc-6.3.0_glibc-2.23_eabi/usr/include
    -I/media/ware4/Entware-ng.2017.02/staging_dir/toolchain-arm_cortex-a9_gcc-6.3.0_glibc-2.23_eabi/include
    -I/media/ware4/Entware-ng.2017.02/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/include
    -I/media/ware4/Entware-ng.2017.02/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/include
    -DNDEBUG -O2 -pipe -march=armv7-a -mtune=cortex-a9
    -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable
    -Wno-error=unused-result -mfloat-abi=soft
Link:
    arm-openwrt-linux-gnueabi-gcc
    -I/media/ware4/Entware-ng.2017.02/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/include
    -I/media/ware4/Entware-ng.2017.02/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/include
    -DNDEBUG -O2 -pipe -march=armv7-a -mtune=cortex-a9
    -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable
    -Wno-error=unused-result -mfloat-abi=soft
    -L/media/ware4/Entware-ng.2017.02/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/lib
    -L/media/ware4/Entware-ng.2017.02/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/lib
    -Wl,-rpath,/opt/lib
    -Wl,-rpath-link=/media/ware4/Entware-ng.2017.02/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/lib
    -Wl,--dynamic-linker=/opt/lib/ld-linux.so.3
    -L/media/ware4/Entware-ng.2017.02/staging_dir/toolchain-arm_cortex-a9_gcc-6.3.0_glibc-2.23_eabi/usr/lib
    -L/media/ware4/Entware-ng.2017.02/staging_dir/toolchain-arm_cortex-a9_gcc-6.3.0_glibc-2.23_eabi/lib
    -L/media/ware4/Entware-ng.2017.02/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/lib
    -lpcre
    /media/ware4/Entware-ng.2017.02/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/lib/libssl.so
    /media/ware4/Entware-ng.2017.02/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/lib/libcrypto.so
    -ldl
    -L/media/ware4/Entware-ng.2017.02/staging_dir/target-arm_cortex-a9_glibc-2.23_eabi/opt/lib
    -lz ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a

Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.

 

[Adamm]

The version my system is using is from entware

As expected, makes a lot more sense now (and why I never noticed it). The busybox version is only 1.16.

I'll re-add compatibility (long unnecessary commands ) shortly for anyone affected. Thanks for helping me track this down

EDIT; Done - This will have to be a manual update for anyone affected though, sorry about that.

 

[RMerlin]

The busybox version is only 1.16.

Asuswrt-Merlin has a full-fledged wget, it's not the cutdown busybox applet.

I compile it with an option to point it at the CA root file, which I also include in the firmware. That's why the firmware's built-in wget is able to deal with SSL certificates.

 

[RMerlin]

'll re-add compatibility (long unnecessary commands )

Just provide the fully-qualified path to wget, this way you'll know you're using the firmware's version and not any Entware build.

 

[Adamm]

Just provide the fully-qualified path to wget, this way you'll know you're using the firmware's version and not any Entware build.

Good call, thanks. Implemented this and pushed the update. Won't need to manually download this if you downloaded the last fix I posted.

 

[mazo22]

Adamm - thanks for your wonderfull work - now running it on AC87-A300 on Merlin 380.66-4 with ab-solution 3.8.1 & pixelserv - since first installation running smooth - as I´m a rookie I was a bit afraid to jump in. But worked flawlessly also tried reboot - all good - big THANKS

 

[Adamm]

Adamm - thanks for your wonderfull work - now running it on AC87-A300 on Merlin 380.66-4 with ab-solution 3.8.1 & pixelserv - since first installation running smooth - as I´m a rookie I was a bit afraid to jump in. But worked flawlessly also tried reboot - all good - big THANKS

Thanks, I try to make it as user-friendly as possible so anyone can use it. Glad it's working well for you.

 

[mazo22]

Thanks, I try to make it as user-friendly as possible so anyone can use it. Glad it's working well for you.

Adamm or somebody so what is now happening? Can somebody help?

Log totally flooooded by this left only 2 last ones, so tried to BAN the IP - skynet says it is already banned... so what are the other logs? I have a static IP due to a WS2016 home server essentials with an adress /myadress/.remotewebaccess.com

May 30 09:45:09 kernel: DROP IN=v6tun0 OUT= MAC=74:b6:c8:0e:3e:48:62:76:fe:18:84:08:00:45:00:00:6e:00:00:40:00:38:29:ae:ba:5b:7f:36:98:5f:69:a2:2c:60:00:00:00:00:32:11:3f:20:02:5b:7f:36:98:12:34:dc:ed:17 TUNNEL=91.127.54.152->/my.ip.adress is here/ SRC=2002:5b7f:3698:1234:dced:1751:f869:f16a DST=2002:5f69:a22c:0000:0000:0000:0000:0001 LEN=90 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=UDP SPT=54190 DPT=53 LEN=50

May 30 09:47:59 kernel: DROP IN=v6tun0 OUT= MAC=74:b6:c8:0e:3e:48:62:76:fe:18:84:08:00:45:00:00:67:00:00:40:00:38:29:ae:c1:5b:7f:36:98:5f:69:a2:2c:60:00:00:00:00:2b:11:3f:20:02:5b:7f:36:98:12:34:dc:ed:17 TUNNEL=91.127.54.152->/my.ip.adress is here/ SRC=2002:5b7f:3698:1234:dced:1751:f869:f16a DST=2002:5f69:a22c:0000:0000:0000:0000:0001 LEN=83 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=UDP SPT=54963 DPT=53 LEN=43

May 30 09:56:16 pixelserv[6970]: api.taplytics.com _.taplytics.com missing

May 30 09:56:17 pixelserv[1188]: cert _.taplytics.com generated and saved

May 30 10:00:02 Skynet: [Complete] 26 IPs / 0 Ranges banned. 1 New IPs / 0 New Ranges Banned. 32 IP / 0 Range Connections Blocked! [1s]

May 30 10:00:56 disk_monitor: Got SIGALRM...

May 30 11:00:01 Skynet: [Complete] 30 IPs / 0 Ranges banned. 4 New IPs / 0 New Ranges Banned. 1052 IP / 0 Range Connections Blocked! [1s]

May 30 11:16:18 dropbear[15652]: Child connection from 192.168.1.2:54678

May 30 11:16:27 dropbear[15652]: Password auth succeeded for 'Administrator' from 192.168.1.2:54678

May 30 11:16:45 Skynet: [Complete] 30 IPs / 0 Ranges banned. 0 New IPs / 0 New Ranges Banned. 1704 IP / 0 Range Connections Blocked! [1s]

May 30 11:17:07 Skynet: [Adding 46.229.230.227 To Blacklist] ... ... ...

May 30 11:17:07 Skynet: [Complete] 31 IPs / 0 Ranges banned. 1 New IPs / 0 New Ranges Banned. 1711 IP / 0 Range Connections Blocked! [0s]

May 30 11:17:09 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=74:e1:b6:c8:0e:3e:48:62:76:fe:18:84:08:00 SRC=46.229.230.227 DST=/my.ip.adress is here/ LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=465 DPT=54688 SEQ=1993094072 ACK=1730319279 WINDOW=5840 RES=0x00 ACK SYN URGP=0 OPT (020405B40101040201030309)

May 30 11:17:15 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=74:e1:b6:c8:0e:3e:48:62:76:fe:18:84:08:00 SRC=46.229.230.227 DST=/my.ip.adress is here/ LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=TCP SPT=995 DPT=54661 SEQ=3147868951 ACK=446396549 WINDOW=5840 RES=0x00 ACK SYN URGP=0 OPT (020405B40101040201030309)

thanks for the help...

 

[Adamm]

Log totally flooooded by this left only 2 last ones

With debug print enabled, it will print in syslog every time a banned IP has a connection attempt dropped, and all these messages are purged from the syslog at the end of every hour. As you can probably see this at times gets spammy depending on what its blocking. That being said if a clean syslog is important to you, you can disable debug mode in the installer, the downside being you lose some stat reporting functionality as it will only track new bans rather then all connection drops.

https://otx.alienvault.com/indicator/ip/46.229.230.227/

It looks like this IP belongs to a webmail client of sorts (maybe an IMAP server), if this is something you intentionally use it was probably a false positive and you can whitelist the ip.

May 30 09:45:09 kernel: DROP IN=v6tun0 OUT= MAC=74:b6:c8:0e:3e:48:62:76:fe:18:84:08:00:45:00:00:6e:00:00:40:00:38:29:ae:ba:5b:7f:36:98:5f:69:a2:2c:60:00:00:00:00:32:11:3f:20:02:5b:7f:36:98:12:34:dc:ed:17 TUNNEL=91.127.54.152->/my.ip.adress is here/ SRC=2002:5b7f:3698:1234:dced:1751:f869:f16a DST=2002:5f69:a22c:0000:0000:0000:0000:0001 LEN=90 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=UDP SPT=54190 DPT=53 LEN=50

May 30 09:47:59 kernel: DROP IN=v6tun0 OUT= MAC=74:b6:c8:0e:3e:48:62:76:fe:18:84:08:00:45:00:00:67:00:00:40:00:38:29:ae:c1:5b:7f:36:98:5f:69:a2:2c:60:00:00:00:00:2b:11:3f:20:02:5b:7f:36:98:12:34:dc:ed:17 TUNNEL=91.127.54.152->/my.ip.adress is here/ SRC=2002:5b7f:3698:1234:dced:1751:f869:f16a DST=2002:5f69:a22c:0000:0000:0000:0000:0001 LEN=83 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=UDP SPT=54963 DPT=53 LEN=43

These two are connection blocks on your IPv6 tunnel I assume. I don't have an IPv6 capable provider so I may look into specifying select interfaces to block rather then all.

 

[Adamm]

Adamm or somebody so what is now happening? Can somebody help?

I just pushed v4.5.5. Please update and let me know how it goes. You may want to clear your blacklist after (unban all) incase any IPv6 stuff was incorrectly picked up. Thanks

 

[mazo22]

With debug print enabled, it will print in syslog every time a banned IP has a connection attempt dropped, and all these messages are purged from the syslog at the end of every hour. As you can probably see this at times gets spammy depending on what its blocking. That being said if a clean syslog is important to you, you can disable debug mode in the installer, the downside being you lose some stat reporting functionality as it will only track new bans rather then all connection drops.

https://otx.alienvault.com/indicator/ip/46.229.230.227/

It looks like this IP belongs to a webmail client of sorts (maybe an IMAP server), if this is something you intentionally use it was probably a false positive and you can whitelist the ip.



These two are connection blocks on your IPv6 tunnel I assume. I don't have an IPv6 capable provider so I may look into specifying select interfaces to block rather then all.

Thank you - it was really a false alarm - and the imap server indeed. Will try to sort out whitelist and blacklist certain things in use.

 

[Adamm]

Thank you - it was really a false alarm - and the imap server indeed. Will try to sort out whitelist and blacklist certain things in use.

I pushed another update just now to prevent email servers getting banned, invalid packets will only be dropped. This should stop such false positives in future.

 

[TheUntouchable]

I pushed another update just now to prevent email servers getting banned, invalid packets will only be dropped. This should stop such false positives in future.

Thanks a lot for that change!